LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

March 2013

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA March 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Low: dovecot on SL6.x i386/x86_64
From:	Pat Riehecky <[log in to unmask]>
Reply To:	Pat Riehecky <[log in to unmask]>
Date:	Mon, 4 Mar 2013 13:09:42 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (63 lines)

Synopsis:          Low: dovecot security and bug fix update
Issue Date:        2013-02-21
CVE Numbers:       CVE-2011-2166
                    CVE-2011-2167
                    CVE-2011-4318
--

Two flaws were found in the way some settings were enforced by the 
script-login
functionality of Dovecot. A remote, authenticated user could use these 
flaws to
bypass intended access restrictions or conduct a directory traversal 
attack by
leveraging login scripts. (CVE-2011-2166, CVE-2011-2167)

A flaw was found in the way Dovecot performed remote server identity
verification, when it was configured to proxy IMAP and POP3 connections to
remote hosts using TLS/SSL protocols. A remote attacker could use this 
flaw to
conduct man-in-the-middle attacks using an X.509 certificate issued by a
trusted Certificate Authority (for a different name). (CVE-2011-4318)

This update also fixes the following bug:

* When a new user first accessed their IMAP inbox, Dovecot was, under some
circumstances, unable to change the group ownership of the inbox 
directory in
the user's Maildir location to match that of the user's mail spool
(/var/mail/$USER). This correctly generated an "Internal error occurred"
message. However, with a subsequent attempt to access the inbox, Dovecot saw
that the directory already existed and proceeded with its operation, leaving
the directory with incorrectly set permissions. This update corrects the
underlying permissions setting error. When a new user now accesses their 
inbox
for the first time, and it is not possible to set group ownership, Dovecot
removes the created directory and generates an error message instead of 
keeping
the directory with incorrect group ownership.

After installing the updated packages, the dovecot service will be restarted
automatically.
--

SL6
   x86_64
     dovecot-2.0.9-5.el6.i686.rpm
     dovecot-2.0.9-5.el6.x86_64.rpm
     dovecot-debuginfo-2.0.9-5.el6.i686.rpm
     dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm
     dovecot-mysql-2.0.9-5.el6.x86_64.rpm
     dovecot-pgsql-2.0.9-5.el6.x86_64.rpm
     dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm
     dovecot-devel-2.0.9-5.el6.x86_64.rpm
   i386
     dovecot-2.0.9-5.el6.i686.rpm
     dovecot-debuginfo-2.0.9-5.el6.i686.rpm
     dovecot-mysql-2.0.9-5.el6.i686.rpm
     dovecot-pgsql-2.0.9-5.el6.i686.rpm
     dovecot-pigeonhole-2.0.9-5.el6.i686.rpm
     dovecot-devel-2.0.9-5.el6.i686.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV